[Sandbox] Reduce entitlements granted by default

Since App Store approval decided these suddenly matter.

Signed-off-by: Christopher Snowhill <[email protected]>

Cog.entitlements

@@ -4,14 +4,8 @@
 <dict>
 	<key>com.apple.security.app-sandbox</key>
 	<true/>
-	<key>com.apple.security.assets.movies.read-only</key>
-	<true/>
-	<key>com.apple.security.assets.music.read-only</key>
-	<true/>
 	<key>com.apple.security.cs.allow-jit</key>
 	<true/>
-	<key>com.apple.security.files.downloads.read-only</key>
-	<true/>
 	<key>com.apple.security.files.user-selected.read-write</key>
 	<true/>
 	<key>com.apple.security.network.client</key>

Preferences/Preferences/PathSuggester.m

@@ -24,35 +24,6 @@ @interface PlaylistEntry
 @property(nonatomic) NSURL *_Nullable url;
 @end
 
-static NSURL *containerDirectory(void) {
-	NSString *path = [@"~" stringByExpandingTildeInPath];
-	return [NSURL fileURLWithPath:path];
-}
-
-// XXX this is only for comparison, not "escaping the sandbox"
-static NSURL *pathEscape(NSString *path) {
-	NSString *componentsToRemove = [NSString stringWithFormat:@"Library/Containers/%@/Data/", [[NSBundle mainBundle] bundleIdentifier]];
-	NSRange rangeOfMatch = [path rangeOfString:componentsToRemove];
-	if(rangeOfMatch.location != NSNotFound)
-		path = [path stringByReplacingCharactersInRange:rangeOfMatch withString:@""];
-	return [NSURL fileURLWithPath:path];
-}
-
-static NSURL *defaultMusicDirectory(void) {
-	NSString *path = [NSSearchPathForDirectoriesInDomains(NSMusicDirectory, NSUserDomainMask, YES) lastObject];
-	return pathEscape(path);
-}
-
-static NSURL *defaultDownloadsDirectory(void) {
-	NSString *path = [NSSearchPathForDirectoriesInDomains(NSDownloadsDirectory, NSUserDomainMask, YES) lastObject];
-	return pathEscape(path);
-}
-
-static NSURL *defaultMoviesDirectory(void) {
-	NSString *path = [NSSearchPathForDirectoriesInDomains(NSMoviesDirectory, NSUserDomainMask, YES) lastObject];
-	return pathEscape(path);
-}
-
 @interface PathItem : NSObject
 @property(nonatomic, strong) NSString *path;
 @property(nonatomic) BOOL enabled;
@@ -99,12 +70,6 @@ - (IBAction)beginSuggestion:(id)sender {
 
 	if(!results || [results count] < 1) return;
 
-	NSURL *defaultMusic = defaultMusicDirectory();
-	NSURL *defaultDownloads = defaultDownloadsDirectory();
-	NSURL *defaultMovies = defaultMoviesDirectory();
-
-	NSURL *container = containerDirectory();
-
 	id sandboxBrokerClass = NSClassFromString(@"SandboxBroker");
 
 	NSMutableArray *items = [[NSMutableArray alloc] init];
@@ -125,7 +90,8 @@ - (IBAction)beginSuggestion:(id)sender {
 	// Add other system paths to this setting
 	NSString *fileTreePath = [[NSUserDefaults standardUserDefaults] stringForKey:@"fileTreeRootURL"];
 	if(fileTreePath && [fileTreePath length]) {
-		[array addObject:[NSURL URLWithString:fileTreePath]];
+		// Append false name to dodge the directory/fragment trimmer
+		[array addObject:[NSURL URLWithString:[fileTreePath stringByAppendingPathComponent:@"moo.mp3"]]];
 	}
 
 	NSString *soundFontPath = [[NSUserDefaults standardUserDefaults] stringForKey:@"soundFontPath"];
@@ -135,14 +101,7 @@ - (IBAction)beginSuggestion:(id)sender {
 
 	for(NSURL *fileUrl in array) {
 		NSURL *url = [sandboxBrokerClass urlWithoutFragment:fileUrl];
-		if([sandboxBrokerClass isPath:url aSubdirectoryOf:defaultMusic] ||
-		   [sandboxBrokerClass isPath:url
-		              aSubdirectoryOf:defaultDownloads] ||
-		   [sandboxBrokerClass isPath:url
-		              aSubdirectoryOf:defaultMovies] ||
-		   [sandboxBrokerClass isPath:url
-		              aSubdirectoryOf:container] ||
-		   [sandboxPathBehaviorController matchesPath:url])
+		if([sandboxPathBehaviorController matchesPath:url])
 			continue;
 
 		NSArray *pathComponents = [url pathComponents];

Utils/SandboxBroker.m

@@ -17,40 +17,6 @@
 
 #import "PlaylistController.h"
 
-static NSURL *_containerDirectory = nil;
-static NSURL *_defaultMusicDirectory = nil;
-static NSURL *_defaultDownloadsDirectory = nil;
-static NSURL *_defaultMoviesDirectory = nil;
-
-static NSURL *containerDirectory(void) {
-	NSString *path = [@"~" stringByExpandingTildeInPath];
-	return [NSURL fileURLWithPath:path];
-}
-
-// XXX this is only for comparison, not "escaping the sandbox"
-static NSURL *pathEscape(NSString *path) {
-	NSString *componentsToRemove = [NSString stringWithFormat:@"Library/Containers/%@/Data/", [[NSBundle mainBundle] bundleIdentifier]];
-	NSRange rangeOfMatch = [path rangeOfString:componentsToRemove];
-	if(rangeOfMatch.location != NSNotFound)
-		path = [path stringByReplacingCharactersInRange:rangeOfMatch withString:@""];
-	return [NSURL fileURLWithPath:path];
-}
-
-static NSURL *defaultMusicDirectory(void) {
-	NSString *path = [NSSearchPathForDirectoriesInDomains(NSMusicDirectory, NSUserDomainMask, YES) lastObject];
-	return pathEscape(path);
-}
-
-static NSURL *defaultDownloadsDirectory(void) {
-	NSString *path = [NSSearchPathForDirectoriesInDomains(NSDownloadsDirectory, NSUserDomainMask, YES) lastObject];
-	return pathEscape(path);
-}
-
-static NSURL *defaultMoviesDirectory(void) {
-	NSString *path = [NSSearchPathForDirectoriesInDomains(NSMoviesDirectory, NSUserDomainMask, YES) lastObject];
-	return pathEscape(path);
-}
-
 static SandboxBroker *kSharedSandboxBroker = nil;
 
 @interface SandboxEntry : NSObject {
@@ -69,7 +35,6 @@ @interface SandboxEntry : NSObject {
 @property NSInteger refCount;
 
 - (id)initWithToken:(SandboxToken *)token;
-- (id)initWithStaticURL:(NSURL *)url;
 @end
 
 @implementation SandboxEntry
@@ -84,17 +49,6 @@ - (id)initWithToken:(SandboxToken *)token {
 	return obj;
 }
 
-- (id)initWithStaticURL:(NSURL *)url {
-	SandboxEntry *obj = [super init];
-	if(obj) {
-		obj->_refCount = 1;
-		obj->_secureUrl = nil;
-		obj->_token = nil;
-		obj->_path = [url path];
-	}
-	return obj;
-}
-
 - (NSInteger)refCount {
 	return _refCount;
 }
@@ -193,22 +147,6 @@ + (BOOL)isPath:(NSURL *)path aSubdirectoryOf:(NSURL *)directory {
 - (SandboxEntry *)recursivePathTest:(NSURL *)url {
 	SandboxEntry *ret = nil;
 
-	static dispatch_once_t onceToken;
-	dispatch_once(&onceToken, ^{
-		_containerDirectory = containerDirectory();
-		_defaultMusicDirectory = defaultMusicDirectory();
-		_defaultDownloadsDirectory = defaultDownloadsDirectory();
-		_defaultMoviesDirectory = defaultMoviesDirectory();
-	});
-
-	NSArray *urls = @[_containerDirectory, _defaultMusicDirectory, _defaultDownloadsDirectory, _defaultMoviesDirectory];
-
-	for(NSURL *checkUrl in urls) {
-		if([SandboxBroker isPath:url aSubdirectoryOf:checkUrl]) {
-			return [[SandboxEntry alloc] initWithStaticURL:checkUrl];
-		}
-	}
-
 	NSPersistentContainer *pc = [SandboxBroker sharedPersistentContainer];
 
 	NSSortDescriptor *sortDescriptor = [NSSortDescriptor sortDescriptorWithKey:@"path.length" ascending:NO];